[Midnightbsd-cvs] src: usr.bin/login: add audit support to login
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Tue Dec 9 13:27:01 EST 2008
Log Message:
-----------
add audit support to login
Modified Files:
--------------
src/usr.bin/login:
Makefile (r1.4 -> r1.5)
README (r1.3 -> r1.4)
login.1 (r1.3 -> r1.4)
login.c (r1.2 -> r1.3)
login.h (r1.2 -> r1.3)
login_fbtab.c (r1.2 -> r1.3)
pathnames.h (r1.3 -> r1.4)
Added Files:
-----------
src/usr.bin/login:
login_audit.c (r1.1)
-------------- next part --------------
Index: login_fbtab.c
===================================================================
RCS file: /home/cvs/src/usr.bin/login/login_fbtab.c,v
retrieving revision 1.2
retrieving revision 1.3
diff -L usr.bin/login/login_fbtab.c -L usr.bin/login/login_fbtab.c -u -r1.2 -r1.3
--- usr.bin/login/login_fbtab.c
+++ usr.bin/login/login_fbtab.c
@@ -59,8 +59,7 @@
*/
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/usr.bin/login/login_fbtab.c,v 1.16 2002/03/22 01:22:49 imp Exp $");
-__MBSDID("$MidnightBSD$");
+__FBSDID("$FreeBSD: src/usr.bin/login/login_fbtab.c,v 1.18 2007/09/21 01:55:11 kevlo Exp $");
#include <sys/types.h>
#include <sys/stat.h>
@@ -94,8 +93,8 @@
int prot;
const char *table;
- if ((fp = fopen(table = _PATH_FBTAB, "r")) == 0
- && (fp = fopen(table = _PATH_LOGINDEVPERM, "r")) == 0)
+ if ((fp = fopen(table = _PATH_FBTAB, "r")) == NULL
+ && (fp = fopen(table = _PATH_LOGINDEVPERM, "r")) == NULL)
return;
while (fgets(buf, sizeof(buf), fp)) {
@@ -134,7 +133,7 @@
{
glob_t gl;
char *path;
- int i;
+ unsigned int i;
if (glob(pattern, GLOB_NOSORT, NULL, &gl) != 0)
return;
Index: login.h
===================================================================
RCS file: /home/cvs/src/usr.bin/login/login.h,v
retrieving revision 1.2
retrieving revision 1.3
diff -L usr.bin/login/login.h -L usr.bin/login/login.h -u -r1.2 -r1.3
--- usr.bin/login/login.h
+++ usr.bin/login/login.h
@@ -22,10 +22,16 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $FreeBSD: src/usr.bin/login/login.h,v 1.4 2002/03/22 01:22:49 imp Exp $
- * $MidnightBSD$
+ * $FreeBSD: src/usr.bin/login/login.h,v 1.7 2007/05/07 11:01:36 dwmalone Exp $
*/
void login_fbtab(char *, uid_t, gid_t);
-extern char **environ;
+#ifdef USE_BSM_AUDIT
+void au_login_success(void);
+void au_login_fail(const char *errmsg, int na);
+void audit_logout(void);
+#endif
+
+extern char **environ;
+extern struct passwd *pwd;
--- /dev/null
+++ usr.bin/login/login_audit.c
@@ -0,0 +1,204 @@
+/*
+ * Copyright (c) 2005 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_START@
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ * its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_END@
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD: src/usr.bin/login/login_audit.c,v 1.2 2007/05/07 11:01:36 dwmalone Exp $");
+
+#include <sys/types.h>
+
+#include <bsm/libbsm.h>
+#include <bsm/audit_uevents.h>
+
+#include <err.h>
+#include <errno.h>
+#include <pwd.h>
+#include <stdio.h>
+#include <strings.h>
+#include <unistd.h>
+
+#include "login.h"
+
+/*
+ * Audit data
+ */
+static au_tid_t tid;
+
+/*
+ * The following tokens are included in the audit record for a successful
+ * login: header, subject, return.
+ */
+void
+au_login_success(void)
+{
+ token_t *tok;
+ int aufd;
+ au_mask_t aumask;
+ auditinfo_t auinfo;
+ uid_t uid = pwd->pw_uid;
+ gid_t gid = pwd->pw_gid;
+ pid_t pid = getpid();
+ long au_cond;
+
+ /* If we are not auditing, don't cut an audit record; just return. */
+ if (auditon(A_GETCOND, &au_cond, sizeof(long)) < 0) {
+ if (errno == ENOSYS)
+ return;
+ errx(1, "login: Could not determine audit condition");
+ }
+ if (au_cond == AUC_NOAUDIT)
+ return;
+
+ /* Compute and set the user's preselection mask. */
+ if (au_user_mask(pwd->pw_name, &aumask) == -1)
+ errx(1, "login: Could not set audit mask\n");
+
+ /* Set the audit info for the user. */
+ auinfo.ai_auid = uid;
+ auinfo.ai_asid = pid;
+ bcopy(&tid, &auinfo.ai_termid, sizeof(auinfo.ai_termid));
+ bcopy(&aumask, &auinfo.ai_mask, sizeof(auinfo.ai_mask));
+ if (setaudit(&auinfo) != 0)
+ err(1, "login: setaudit failed");
+
+ if ((aufd = au_open()) == -1)
+ errx(1,"login: Audit Error: au_open() failed");
+
+ if ((tok = au_to_subject32(uid, geteuid(), getegid(), uid, gid, pid,
+ pid, &tid)) == NULL)
+ errx(1, "login: Audit Error: au_to_subject32() failed");
+ au_write(aufd, tok);
+
+ if ((tok = au_to_return32(0, 0)) == NULL)
+ errx(1, "login: Audit Error: au_to_return32() failed");
+ au_write(aufd, tok);
+
+ if (au_close(aufd, 1, AUE_login) == -1)
+ errx(1, "login: Audit Record was not committed.");
+}
+
+/*
+ * The following tokens are included in the audit record for failed
+ * login attempts: header, subject, text, return.
+ */
+void
+au_login_fail(const char *errmsg, int na)
+{
+ token_t *tok;
+ int aufd;
+ long au_cond;
+ uid_t uid;
+ gid_t gid;
+ pid_t pid = getpid();
+
+ /* If we are not auditing, don't cut an audit record; just return. */
+ if (auditon(A_GETCOND, &au_cond, sizeof(long)) < 0) {
+ if (errno == ENOSYS)
+ return;
+ errx(1, "login: Could not determine audit condition");
+ }
+ if (au_cond == AUC_NOAUDIT)
+ return;
+
+ if ((aufd = au_open()) == -1)
+ errx(1, "login: Audit Error: au_open() failed");
+
+ if (na) {
+ /*
+ * Non attributable event. Assuming that login is not called
+ * within a user's session => auid,asid == -1.
+ */
+ if ((tok = au_to_subject32(-1, geteuid(), getegid(), -1, -1,
+ pid, -1, &tid)) == NULL)
+ errx(1, "login: Audit Error: au_to_subject32() failed");
+ } else {
+ /* We know the subject -- so use its value instead. */
+ uid = pwd->pw_uid;
+ gid = pwd->pw_gid;
+ if ((tok = au_to_subject32(uid, geteuid(), getegid(), uid,
+ gid, pid, pid, &tid)) == NULL)
+ errx(1, "login: Audit Error: au_to_subject32() failed");
+ }
+ au_write(aufd, tok);
+
+ /* Include the error message. */
+ if ((tok = au_to_text(errmsg)) == NULL)
+ errx(1, "login: Audit Error: au_to_text() failed");
+ au_write(aufd, tok);
+
+ if ((tok = au_to_return32(1, errno)) == NULL)
+ errx(1, "login: Audit Error: au_to_return32() failed");
+ au_write(aufd, tok);
+
+ if (au_close(aufd, 1, AUE_login) == -1)
+ errx(1, "login: Audit Error: au_close() was not committed");
+}
+
+/*
+ * The following tokens are included in the audit record for a logout:
+ * header, subject, return.
+ */
+void
+audit_logout(void)
+{
+ token_t *tok;
+ int aufd;
+ uid_t uid = pwd->pw_uid;
+ gid_t gid = pwd->pw_gid;
+ pid_t pid = getpid();
+ long au_cond;
+
+ /* If we are not auditing, don't cut an audit record; just return. */
+ if (auditon(A_GETCOND, &au_cond, sizeof(long)) < 0) {
+ if (errno == ENOSYS)
+ return;
+ errx(1, "login: Could not determine audit condition");
+ }
+ if (au_cond == AUC_NOAUDIT)
+ return;
+
+ if ((aufd = au_open()) == -1)
+ errx(1, "login: Audit Error: au_open() failed");
+
+ /* The subject that is created (euid, egid of the current process). */
+ if ((tok = au_to_subject32(uid, geteuid(), getegid(), uid, gid, pid,
+ pid, &tid)) == NULL)
+ errx(1, "login: Audit Error: au_to_subject32() failed");
+ au_write(aufd, tok);
+
+ if ((tok = au_to_return32(0, 0)) == NULL)
+ errx(1, "login: Audit Error: au_to_return32() failed");
+ au_write(aufd, tok);
+
+ if (au_close(aufd, 1, AUE_logout) == -1)
+ errx(1, "login: Audit Record was not committed.");
+}
Index: login.1
===================================================================
RCS file: /home/cvs/src/usr.bin/login/login.1,v
retrieving revision 1.3
retrieving revision 1.4
diff -L usr.bin/login/login.1 -L usr.bin/login/login.1 -u -r1.3 -r1.4
--- usr.bin/login/login.1
+++ usr.bin/login/login.1
@@ -9,7 +9,11 @@
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
-.\" 3. Neither the name of the University nor the names of its contributors
+.\" 3. All advertising materials mentioning features or use of this software
+.\" must display the following acknowledgement:
+.\" This product includes software developed by the University of
+.\" California, Berkeley and its contributors.
+.\" 4. Neither the name of the University nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
@@ -26,10 +30,9 @@
.\" SUCH DAMAGE.
.\"
.\" @(#)login.1 8.2 (Berkeley) 5/5/94
-.\" $FreeBSD: src/usr.bin/login/login.1,v 1.28 2004/10/16 00:13:38 brueffer Exp $
-.\" $MidnightBSD$
+.\" $FreeBSD: src/usr.bin/login/login.1,v 1.32.2.1 2007/12/06 10:48:31 philip Exp $
.\"
-.Dd October 16, 2004
+.Dd September 13, 2006
.Dt LOGIN 1
.Os
.Sh NAME
@@ -119,8 +122,15 @@
Consult the
.Xr builtin 1
manual page.
+.Pp
+The
+.Nm
+utility will submit an audit record when login succeeds or fails.
+Failure to determine the current auditing state will
+result in an error exit from
+.Nm .
.Sh FILES
-.Bl -tag -width ".Pa /etc/login.conf" -compact
+.Bl -tag -width ".Pa /etc/security/audit_control" -compact
.It Pa /etc/fbtab
changes device protections
.It Pa /etc/login.conf
@@ -136,19 +146,23 @@
.It Pa /etc/pam.d/login
.Xr pam 8
configuration file
+.It Pa /etc/security/audit_user
+user flags for auditing
+.It Pa /etc/security/audit_control
+global flags for auditing
.El
.Sh SEE ALSO
.Xr builtin 1 ,
.Xr chpass 1 ,
.Xr csh 1 ,
+.Xr newgrp 1 ,
.Xr passwd 1 ,
.Xr rlogin 1 ,
.Xr getpass 3 ,
.Xr fbtab 5 ,
.Xr login.access 5 ,
.Xr login.conf 5 ,
-.Xr environ 7 ,
-.Xr pam 8
+.Xr environ 7
.Sh HISTORY
A
.Nm
Index: login.c
===================================================================
RCS file: /home/cvs/src/usr.bin/login/login.c,v
retrieving revision 1.2
retrieving revision 1.3
diff -L usr.bin/login/login.c -L usr.bin/login/login.c -u -r1.2 -r1.3
--- usr.bin/login/login.c
+++ usr.bin/login/login.c
@@ -17,7 +17,11 @@
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
+ * 3. All advertising materials mentioning features or use of this software
+ * must display the following acknowledgement:
+ * This product includes software developed by the University of
+ * California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
@@ -41,8 +45,7 @@
#endif
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/usr.bin/login/login.c,v 1.99 2005/06/01 12:23:06 maxim Exp $");
-__MBSDID("$MidnightBSD$");
+__FBSDID("$FreeBSD: src/usr.bin/login/login.c,v 1.106 2007/07/04 00:00:40 scf Exp $");
/*
* login [ name ]
@@ -170,6 +173,9 @@
login_cap_t *lc = NULL;
login_cap_t *lc_user = NULL;
pid_t pid;
+#ifdef USE_BSM_AUDIT
+ char auditsuccess = 1;
+#endif
(void)signal(SIGQUIT, SIG_IGN);
(void)signal(SIGINT, SIG_IGN);
@@ -288,16 +294,25 @@
pam_err = pam_start("login", username, &pamc, &pamh);
if (pam_err != PAM_SUCCESS) {
pam_syslog("pam_start()");
+#ifdef USE_BSM_AUDIT
+ au_login_fail("PAM Error", 1);
+#endif
bail(NO_SLEEP_EXIT, 1);
}
pam_err = pam_set_item(pamh, PAM_TTY, tty);
if (pam_err != PAM_SUCCESS) {
pam_syslog("pam_set_item(PAM_TTY)");
+#ifdef USE_BSM_AUDIT
+ au_login_fail("PAM Error", 1);
+#endif
bail(NO_SLEEP_EXIT, 1);
}
pam_err = pam_set_item(pamh, PAM_RHOST, hostname);
if (pam_err != PAM_SUCCESS) {
pam_syslog("pam_set_item(PAM_RHOST)");
+#ifdef USE_BSM_AUDIT
+ au_login_fail("PAM Error", 1);
+#endif
bail(NO_SLEEP_EXIT, 1);
}
@@ -314,6 +329,9 @@
(uid == (uid_t)0 || uid == (uid_t)pwd->pw_uid)) {
/* already authenticated */
rval = 0;
+#ifdef USE_BSM_AUDIT
+ auditsuccess = 0; /* opened a terminal window only */
+#endif
} else {
fflag = 0;
(void)setpriority(PRIO_PROCESS, 0, -4);
@@ -326,9 +344,19 @@
pam_cleanup();
+ /*
+ * We are not exiting here, but this corresponds to a failed
+ * login event, so set exitstatus to 1.
+ */
+#ifdef USE_BSM_AUDIT
+ au_login_fail("Login incorrect", 1);
+#endif
+
(void)printf("Login incorrect\n");
failures++;
+ pwd = NULL;
+
/*
* Allow up to 'retry' (10) attempts, but start
* backing off after 'backoff' (3) attempts.
@@ -348,6 +376,12 @@
endpwent();
+#ifdef USE_BSM_AUDIT
+ /* Audit successful login. */
+ if (auditsuccess)
+ au_login_success();
+#endif
+
/*
* Establish the login class.
*/
@@ -471,8 +505,7 @@
if (!pflag)
environ = envinit;
if (term != NULL)
- if (setenv("TERM", term, 0) == -1)
- err(1, "setenv: cannot set TERM=%s", term);
+ setenv("TERM", term, 0);
/*
* PAM modules might add supplementary groups during pam_setcred().
@@ -543,24 +576,16 @@
exit(1);
}
- if (setenv("SHELL", pwd->pw_shell, 1) == -1)
- err(1, "setenv: cannot set SHELL=%s", pwd->pw_shell);
- if (setenv("HOME", pwd->pw_dir, 1) == -1)
- err(1, "setenv: cannot set HOME=%s", pwd->pw_dir);
+ (void)setenv("SHELL", pwd->pw_shell, 1);
+ (void)setenv("HOME", pwd->pw_dir, 1);
/* Overwrite "term" from login.conf(5) for any known TERM */
- if (term == NULL && (tp = stypeof(tty)) != NULL) {
- if (setenv("TERM", tp, 1) == -1)
- err(1, "setenv: cannot set TERM=%s", stypeof(tty));
- } else {
- if (setenv("TERM", TERM_UNKNOWN, 0) == -1)
- err(1, "setenv: cannot set TERM");
- }
- if (setenv("LOGNAME", username, 1) == -1)
- err(1, "setenv: cannot set LOGNAME=%s", username);
- if (setenv("USER", username, 1) == -1)
- err(1, "setenv: cannot set USER=%s", username);
- if (setenv("PATH", rootlogin ? _PATH_STDPATH : _PATH_DEFPATH, 0) == -1)
- err(1, "setenv: cannot set PATH");
+ if (term == NULL && (tp = stypeof(tty)) != NULL)
+ (void)setenv("TERM", tp, 1);
+ else
+ (void)setenv("TERM", TERM_UNKNOWN, 0);
+ (void)setenv("LOGNAME", username, 1);
+ (void)setenv("USER", username, 1);
+ (void)setenv("PATH", rootlogin ? _PATH_STDPATH : _PATH_DEFPATH, 0);
if (!quietlog) {
const char *cw;
@@ -741,10 +766,11 @@
"SHELL", "HOME", "LOGNAME", "MAIL", "CDPATH",
"IFS", "PATH", NULL
};
+ char *p;
const char **pp;
size_t n;
- if (strlen(s) > 1024 || strchr(s, '=') == NULL)
+ if (strlen(s) > 1024 || (p = strchr(s, '=')) == NULL)
return (0);
if (strncmp(s, "LD_", 3) == 0)
return (0);
@@ -753,7 +779,9 @@
if (s[n] == '=' && strncmp(s, *pp, n) == 0)
return (0);
}
- (void)putenv(s);
+ *p = '\0';
+ (void)setenv(s, p + 1, 1);
+ *p = '=';
return (1);
}
@@ -942,6 +970,10 @@
{
pam_cleanup();
+#ifdef USE_BSM_AUDIT
+ if (pwd != NULL)
+ audit_logout();
+#endif
(void)sleep(sec);
exit(eval);
}
Index: Makefile
===================================================================
RCS file: /home/cvs/src/usr.bin/login/Makefile,v
retrieving revision 1.4
retrieving revision 1.5
diff -L usr.bin/login/Makefile -L usr.bin/login/Makefile -u -r1.4 -r1.5
--- usr.bin/login/Makefile
+++ usr.bin/login/Makefile
@@ -1,13 +1,22 @@
# @(#)Makefile 8.1 (Berkeley) 7/19/93
-# $FreeBSD: src/usr.bin/login/Makefile,v 1.48 2004/11/03 18:01:19 ru Exp $
-# $MidnightBSD$
+# $FreeBSD: src/usr.bin/login/Makefile,v 1.53 2006/12/13 06:13:32 csjp Exp $
+
+.include <bsd.own.mk>
PROG= login
SRCS= login.c login_fbtab.c
-CFLAGS+=-DLOGALL -Wall -std=c99
+CFLAGS+=-DLOGALL
DPADD= ${LIBUTIL} ${LIBPAM}
LDADD= -lutil ${MINUSLPAM}
-.if !defined(NO_SETUID_LOGIN)
+
+.if ${MK_AUDIT} != "no"
+SRCS+= login_audit.c
+CFLAGS+= -DUSE_BSM_AUDIT
+DPADD+= ${LIBBSM}
+LDADD+= -lbsm
+.endif
+
+.if ${MK_SETUID_LOGIN} != "no"
BINOWN= root
BINMODE=4555
PRECIOUSPROG=
Index: README
===================================================================
RCS file: /home/cvs/src/usr.bin/login/README,v
retrieving revision 1.3
retrieving revision 1.4
diff -L usr.bin/login/README -L usr.bin/login/README -u -r1.3 -r1.4
--- usr.bin/login/README
+++ usr.bin/login/README
@@ -3,9 +3,10 @@
The following defines can be used:
+
- LOGALL to log all logins
+
-Guido
-$FreeBSD: src/usr.bin/login/README,v 1.4 2001/08/30 11:27:36 markm Exp $
-$MidnightBSD$
+$FreeBSD: src/usr.bin/login/README,v 1.5 2006/03/06 12:56:35 yar Exp $
Index: pathnames.h
===================================================================
RCS file: /home/cvs/src/usr.bin/login/pathnames.h,v
retrieving revision 1.3
retrieving revision 1.4
diff -L usr.bin/login/pathnames.h -L usr.bin/login/pathnames.h -u -r1.3 -r1.4
--- usr.bin/login/pathnames.h
+++ usr.bin/login/pathnames.h
@@ -10,7 +10,11 @@
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
+ * 3. All advertising materials mentioning features or use of this software
+ * must display the following acknowledgement:
+ * This product includes software developed by the University of
+ * California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
@@ -27,8 +31,7 @@
* SUCH DAMAGE.
*
* @(#)pathnames.h 8.1 (Berkeley) 6/9/93
- * $FreeBSD: src/usr.bin/login/pathnames.h,v 1.5 2001/08/30 11:27:36 markm Exp $
- * $MidnightBSD$
+ * $FreeBSD: src/usr.bin/login/pathnames.h,v 1.6 2006/03/06 12:38:42 yar Exp $
*/
#include <paths.h>
More information about the Midnightbsd-cvs
mailing list